This post is part of our series of FAQs examining the California Consumer Privacy Act (“CCPA”) that should help employers with operations in California to determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.
By way of background, the CCPA is a new privacy law that will go into effect in early 2020. Because the CCPA refers to “consumers” many HR professionals do not realize that the CCPA, as currently enacted, also applies to data collected about California-based employees. Please see our recent blog post for a summary of which employers will be subject to the CCPA and the key requirements of the law.
Although the law will not be in effect until next year, employers who must comply should be addressing compliance obligations now. For U.S. employers who have not had to comply with the European Union’s General Data Protection Regulation (“GDPR”), the requirements of the CCPA will likely require a new analysis of the treatment of employee-data and updated or new data policies. Employers who are required to comply with the GDPR will likely already be familiar with many of the requirements of the CCPA, and a key area of interest is the degree to which the CCPA aligns with GDPR for purposes of implementing CCPA compliant practices for their California-based employees.
Question #4: What information is not “Personal Information” under the CCPA?
The CCPA excludes “publicly available information” from the types of “Personal Information” subject to the law, and it will also not apply to information that is excluded from the general application of the CCPA.
The CCPA defines “publicly available information” excluded from the law as “information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information.”[1] This definition does not appear to be complete, but likely requires that any conditions associated with such information be satisfied in order to be considered “publicly available.” The definition may be clarified during the CCPA rulemaking process.
Note, the following types of information will not qualify as being “publicly available”: biometric information collected by a business about a consumer without the consumer’s knowledge; information that is used for a purpose not compatible with the purpose for which it is maintained in government records or made publicly available; and de-identified or aggregated consumer information.[2]
The CCPA will also not apply to the following[3]:
1. Protected or health information collected by a covered entity governed by California’s Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 of Division 1)) or governed by the Health Insurance Portability and Availability Act of 1996 (“HIPAA”). For purposes of the exclusion, the definition of “medical information” in Section 56.05 of the Confidentiality of Medical Information Act and the definitions of “protected health information” and “covered entity” from the federal privacy rule will apply.
2. The sale of personal information to or from a consumer reporting agency if the information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.)
3. Personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it is in conflict with that law
4. Personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.), if it is in conflict with that law.
For employers, the exclusion of information “governed by” HIPAA is a welcome and understandable exclusion, as “protected health information” is already subject to rigorous standards under HIPAA. This exclusion does, however, raise questions regarding the extent to which personal information will be considered “governed by” HIPAA for purposes of exempting it from the CCPA. For example, many employers do not consider group health plan enrollment information that is collected by employers from employees and transmitted to the group health plan to be “protected health information” subject to the requirements of HIPAA. The reason is they consider the information to belong to the employer, not the health plan. It is unclear when analyzing enrollment data for CCPA compliance if treating enrollment information as exempt from HIPAA would then make it be subject to the CCPA for California-based employees.
These types of considerations highlight the need for employers to conduct in-depth assessments of the types of employee information they collect and to adopt appropriately designed policies to comply with the CCPA.
[1] CCPA, Section 1798.140(o)(2).
[2] Id.
[3] CCPA, Section 1798.145(c)-(f)
[View source.]
